The World Cup Wasnít Brazilís Only Loss: Boleto Malware Emerges

In light of the recent fraud campaign against Brazil's banking industry, what must payments industry players do to fight malware-based payments fraud?

While most of Brazil may still be recovering from their heartbreaking loss, cyber criminals were already busy at work before, after, and during the World Cup series. These cyber criminals were attacking enterprise infrastructures through data theft, jamming websites, and most notably, conducting a massive fraud campaign against Brazil’s banking industry through Boleto Bancario, a popular method of money order payment. As revealed in RSA’s recent report, a Boleto malware campaign resulted in a potential loss of US$3.75 billion as cyber criminals targeted the Boleto payment method throughout the past year, posing a major threat to the financial services system.

Why Brazil? For starters, Brazil spent $14 billion in federal funds to prepare for the World Cup. (Yes, that’s billion with a B!) With the country’s unique Boleto payment system being used for 100 percent of business-to-business payments, the World Cup preparation made the country an ideal target for cyber criminals. For Russia, the host of the next World Cup in 2018, the time is now to prepare for an onslaught of probable cyber attacks against widely used payment methods such as, Qiwi, WebMoney, and Yandex.Money -- Russian services equivalent to PayPal.

New additions to the Boleto malware familyIn July, Trusteer researchers uncovered two additional malware families targeting the Boleto payment system. These variants operate quite differently from the Eupuds malware variant highlighted in the RSA report. As a result, we now know that there are three distinct major attack methods being used to conduct Boleto payment fraud that payment and banking security decision makers need to be aware of:

Web injection

DOM manipulation

Browser extension scanners

Unfortunately, the new Boleto malware families that Trusteer identified are not yet known to the industry as financial -- or Boleto-related -- malware. Our research indicates that approximately one in every 900 machines in Brazil is infected with some form of Boleto malware at any given point.

What the Boleto attacks can teach other payment systems Cyber criminals have become so sophisticated and thorough in their attacks that it’s not unreasonable to expect that new approaches will soon start targeting other electronic payment forms. It’s imperative that we identify effective methods of protection that will be sustainable for the long run. Here are a few recommendations for companies involved in the payment system to keep in mind to fight malware-based fraud:

Stop thinking of security protection as a “post mortem” discussion. The best approach is to detect threats in real-time instead of after significant fraudulent transactions have occurred. Security needs to be a top-of-mind discussion for payment companies.

The most effective way to fight malware-based fraud is at the point of attack. That is, the customer’s device. By focusing on detecting and preventing the root cause of most financial fraud -- malware -- security solutions can, in turn, prevent fraudulent transactions from being created before they enter the payments system.

Focus on the root cause of fraud and winning the battle. Identify where security holes are likely to be found and take extra measures to make sure these holes are patched. Have you taken a holistic look at your security approach? If not, it’s time to analyze every pocket of security within your payment system.

With or without a worldwide sporting event stage, payment transactions will continue in all shapes on a regular basis. Financial data is personal and important, so it’s critical to reinstate customer confidence in their payment method options. The reality is that new forms of Boleto malware will continue to emerge; take the time to update your payment security now before valuable customer data, monetary funds, and trust are in danger.

George Tubin is the Senior Security Strategist for Trusteer, an IBM company, where he heads the thought leadership program to advance online and mobile banking security and adoption, and advise enterprises on best practices for protecting corporate assets from targeted ... View Full Bio

Good points. Our regulators have always had the problem of jurisdiction with non-bank payment providers. But, if/when we see these new payment types taking on a more meaningful market share such that the risks to these systems pose a risk to the US payment system, I think we'll see more pressure for these new payment systems to be more tightly regulated by the banking regulators.

I know that here in the US some states are beginning to introduce their own cyber security regulations, since any kind of national cyber security legislation is stalled in Washington right now. But it's important to think of this as an international problem as this articl illustrates. And different governments and law enforcement agencies are going to have to work together across jurisdictions if they're going to really protect people.

Since payments is where a lot of bank disintermediation is occurring (or expected to occur) it will be interesting to see how these non-bank/traditional players respond to threats like Boleto and others that are sure to follow. Thanks for this update, George. Do you expect to see regulators address these kinds of threats in any way, and do you think they will be turning their attention to the non-bank players entering the space (perhaps making it less attractive to them?)?